b"                     OFFICE OF\n             THE INSPECTOR GENERAL\n                   U.S. NUCLEAR\n             REGULATORY COMMISSION\n\n\n                   Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n                         OIG-05-A-11 April 13, 2005\n\n\n\n\n                        AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                          April 13, 2005\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum/RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S REACTOR PROGRAM SYSTEM\n                            (OIG-05-A-11)\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of\nNRC\xe2\x80\x99s Reactor Program System.\n\nThis audit found that while the implementation of the Reactor Program System\n(RPS) has allowed for a single system for entering inspection information, the\ninformation is not well protected, is not complete, and is not fully accurate. To\nensure that the system meets operational requirements, NRC needs to:\n\n        \xc2\xbe          Comply with RPS access control requirements.\n        \xc2\xbe          Ensure accurate and timely inspection data.\n        \xc2\xbe          Improve management of the system help service.\n        \xc2\xbe          Improve the system configuration control process.\n        \xc2\xbe          Provide training to system users.\n\nDuring an exit conference on March 2, 2005, NRC officials provided informal\ncomments concerning the draft audit report. Subsequent to that meeting, OIG\nmet with agency senior managers to address issues and comments needing\nfurther clarification and/or explanation. Comments your office provided at the exit\nmeeting and during subsequent discussions have been incorporated, as\nappropriate, in our final report.\n\nIf you have any questions, please call Beth Serepca at 415-5911 or me at\n415-5915.\n\nAttachment: As stated\n\x0cDistribution\n\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nLuis A. Reyes, Executive Director for Operations\nJacqueline E. Silber, Deputy Executive Director for Information Services\n and Administration and Chief Information Officer, OEDO\nWilliam F. Kane, Deputy Executive Director for Reactor and Preparedness\n Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research ,\n State and Compliance Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region IV\n\x0c                                                      Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nEXECUTIVE SUMMARY\n\nBACKGROUND\n\n             The Nuclear Regulatory Commission's (NRC) mission is to regulate\n             the Nation's civilian use of byproduct, source, and special nuclear\n             materials to ensure adequate protection of public health and safety,\n             promote the common defense and security, and protect the\n             environment. Fundamental to the regulatory process is NRC\xe2\x80\x99s\n             commercial nuclear power plant inspection program, which\n             assesses whether plant operations are properly conducted and\n             equipment is properly maintained. Inspectors examine licensee\n             activity, provide inspection findings to licensee managers, and\n             conduct followup inspections to ensure that corrective actions are\n             taken.\n\n             The Reactor Program System (RPS) is an information technology\n             tool that provides planning, scheduling, and reporting capabilities to\n             support the NRC reactor inspection and licensing programs. It is\n             used by NRC managers to assess the effectiveness and uniformity\n             of the implementation of those programs and related policies. The\n             Office of Nuclear Reactor Regulation (NRR) and the regions use\n             RPS to schedule their work assignments and to plan and schedule\n             licensing activities in NRR and inspection activities at nuclear\n             power plants.\n\nPURPOSE\n\n             The objectives of this audit were to determine if RPS (1) provides\n             for the availability, confidentiality, and integrity of the data stored in\n             the system and (2) meets its required operational capabilities.\n\nRESULTS IN BRIEF\n\n             While the implementation of RPS has allowed for a single system\n             for entering inspection information, the information is not well\n             protected, is not complete, and is not fully accurate. To ensure that\n             the system meets operational requirements, NRC needs to:\n\n             \xc2\xbe   Comply with RPS access control requirements.\n             \xc2\xbe   Ensure accurate and timely inspection data.\n             \xc2\xbe   Improve management of the system help service.\n             \xc2\xbe   Improve the system configuration control process.\n             \xc2\xbe   Provide training to system users.\n\n\n\n\n                                          i\n\x0c                                              Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nRECOMMENDATIONS\n\n          This report makes 10 recommendations to strengthen protection\n          over RPS data and better ensure the system meets its operational\n          requirements. A consolidated list of recommendations appears on\n          page 19 of this report.\n\nAGENCY COMMENTS\n\n          At an exit conference with agency senior executives held on\n          March 2, 2005, NRC officials generally agreed with the report\xe2\x80\x99s\n          findings and recommendations. Subsequent to that meeting, Office\n          of the Inspector General (OIG) staff met with NRR staff to address\n          specific issues and concerns needing further clarification and/or\n          explanation. On March 31, 2005, the Executive Director of\n          Operations provided a formal response to this report in which he\n          agreed with the final version of the report. Appendix B contains a\n          copy of the agency\xe2\x80\x99s written comments.\n\n\n\n\n                                   ii\n\x0c                                       Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n        OIG     Office of the Inspector General\n        NRC     Nuclear Regulatory Commission\n        NRR     Office of Nuclear Reactor Regulation\n        RPS     Reactor Program System\n        SDLCM   System Development and Life-Cycle Management\n\n\n\n\n                            iii\n\x0c                          Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                                                        Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nTABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ....................................................................................... i\n\nABBREVIATIONS AND ACRONYMS...................................................................iii\n\nI.      BACKGROUND ......................................................................................... 1\n\nII.     PURPOSE.................................................................................................. 3\n\nIII.    FINDINGS .................................................................................................. 3\n\n        A.       NON-COMPLIANCE WITH RPS ACCESS CONTROL\n                 REQUIREMENTS ................................................................................. 3\n\n        B.       INSPECTION DATA INACCURATE AND UNTIMELY .................................... 7\n\n        C.       RPS HELP (RPSHELP) IS INEFFICIENT ............................................ 10\n\n        D.       CONFIGURATION CONTROL PROCESS HAS NOT\n                 IDENTIFIED SOME CONCERNS ........................................................... 12\n\n        E.       TRAINING AND GUIDANCE NOT PROVIDED TO SYSTEM USERS ............. 15\n\nIV.     CONSOLIDATED LIST OF RECOMMENDATIONS ................................ 18\n\nV.      AGENCY COMMENTS ............................................................................ 19\n\n\nAPENDICES\n\n        A. SCOPE AND METHODOLOGY ......................................................... 21\n\n        B. FORMAL AGENCY COMMENTS ....................................................... 23\n\n\n\n\n                                                        v\n\x0c                          Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nI. BACKGROUND\n\n                 NRC\xe2\x80\x99s mission is to regulate the Nation's civilian use of byproduct,\n                 source, and special nuclear materials to ensure adequate\n                 protection of public health and safety, promote the common\n                 defense and security, and protect the environment. Fundamental\n                 to the regulatory process is NRC\xe2\x80\x99s commercial nuclear power plant\n                 inspection program, which assesses whether plant operations are\n                 properly conducted and equipment is properly maintained.\n                 Inspectors examine licensee activity, provide inspection findings to\n                 licensee managers, and conduct followup inspections to ensure\n                 that corrective actions are taken.\n\n                 RPS is an information technology tool that provides planning,\n                 scheduling, and reporting capabilities to support the NRC reactor\n                 inspection and licensing programs. It is used by NRC managers to\n                 assess the effectiveness and uniformity of the implementation of\n                 those programs and related policies. NRR and the regions use\n                 RPS to schedule their work assignments and to plan and schedule\n                 licensing activities in NRR and inspection activities at nuclear\n                 power plants.\n\n                 The RPS database includes inspection and licensing information,\n                 plant performance indicators, inspection followup items, and other\n                 administrative and reactor regulatory data. This information is\n                 contained in 13 currently active modules,1 3 of which are\n                 specifically used to track inspection schedules and results of the\n                 inspection program.\n\n                 Inspection schedules, inspection reports, performance assessment\n                 letters, plant item matrices, performance indicator data, and\n                 operator licensing exam schedules are posted on the NRC external\n                 Web site. This information provided a single location for the public\n                 to obtain information from RPS and supports the agency\xe2\x80\x99s goal to\n                 ensure openness in the regulatory process.\n\n                 System development was initiated in 1995 when NRR recognized a\n                 need for regulatory and administrative improvements in the\n                 inspection program. The system became operational in 1998,\n                 bringing together functions that were previously performed by 10\n                 separate mainframe systems that served the reactor inspection\n                 program in headquarters and the regions. In designing the system,\n                 NRR intended for NRC employees in headquarters and the regions\n\n1\n After audit fieldwork was completed, a 14th module was added to RPS to support the anticipated receipt of\na construction inspection application related to the building of a new nuclear reactor.\n\n\n                                                    1\n\x0c                                                                     Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n                  to use an integrated method for planning, scheduling, and reporting\n                  activities related to reactor inspections. The system was also\n                  intended to allow data to be entered one time in an effort to reduce\n                  the data duplication that occurred when the inspection data was\n                  stored in separate mainframe systems.\n\n                  In the years since its implementation, RPS has evolved to meet\n                  changing agency needs and fulfill inspection program requirements.\n                  For example, the agency\xe2\x80\x99s implementation of a revised reactor\n                  oversight process2 in 2000 necessitated changes in RPS, including\n                  how and what type of information would be stored in the system.\n\n                  Overall, more than 1,400 people use RPS agencywide, although\n                  not all users have access to all modules. Data is entered into RPS\n                  primarily by regional staff3 but is analyzed by both regional and\n                  headquarters employees.\n\n                  NRR developed and funded RPS and continues to support and\n                  maintain the system. To coordinate the needs of NRC regional and\n                  headquarters users, NRR conducts a meeting every 6 months or on\n                  an as-needed basis. Participants, referred to as RPS counterparts,\n                  bring ideas and suggestions for improving the system. Meetings\n                  are chaired by system managers who are responsible for\n                  maintaining and updating the system based on user needs. NRR\n                  modifies RPS in response to changes in agency policies, feedback\n                  received from users, and information shared during the counterpart\n                  meetings. NRR issues updated versions of the system when\n                  appropriate.\n\n                  RPS cost $2.7 million to develop and costs $650,000 to maintain\n                  yearly. According to NRC\xe2\x80\x99s Web site, the agency has saved\n                  $800,000 each year due to the discontinued use of the 10\n                  mainframe systems.\n\n\n\n\n2\n OIG has issued two reports assessing components of the revised reactor oversight process:\nOIG-02-A-15, Review of NRC\xe2\x80\x99s Significance Determination Process, and OIG-05-A-06, Audit of NRC\xe2\x80\x99s\nBaseline Inspection Program. OIG plans to conduct a third audit in this area during fiscal year 2005 on the\nperformance indicator program.\n3\n  NRC regional staff includes senior resident inspectors, resident inspectors, and office assistants at\nlicensee sites, and employees working from NRC\xe2\x80\x99s four regional offices.\n\n\n                                                       2\n\x0c                                                   Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nII. PURPOSE\n\n          The objectives of this audit were to determine if RPS (1) provides\n          for the availability, confidentiality, and integrity of the data stored in\n          the system and (2) meets its required operational capabilities.\n\n\nIII. FINDINGS\n\n          While the implementation of RPS has allowed for a single system\n          for entering inspection information, improvements are needed in\n          RPS to strengthen protection over data stored in the system and\n          better ensure the system meets its operational requirements.\n          Specifically, NRC needs to:\n\n          \xc2\xbe   Comply with RPS access control requirements.\n          \xc2\xbe   Ensure accurate and timely inspection data.\n          \xc2\xbe   Improve management of the system help service.\n          \xc2\xbe   Improve the system configuration control process.\n          \xc2\xbe   Provide training to system users.\n\n\n     A. NON-COMPLIANCE WITH RPS ACCESS CONTROL REQUIREMENTS\n\n          RPS user access to inspection data is not restricted to the minimum\n          amount necessary because the system offers regional employees\n          only one level of access to inspection data (read-and-write). In\n          addition, many employees have access to RPS modules they do\n          not use. This occurs because (1) there is no written guidance on\n          which users should receive what level of access and (2) there is no\n          process for removing users from the system after they no longer\n          require access. Failure to restrict RPS access increases the risk to\n          system data accuracy and security.\n\n          Security Plan Requirements\n\n          The RPS security plan acknowledges that individuals authorized to\n          have access to information systems potentially impose the greatest\n          harm to those systems, both accidentally and intentionally. The\n          RPS security plan lists various security controls to prevent and\n          detect harm to the system. Such controls include employee\n          background checks, the ability to associate users with their system\n\n\n\n\n                                       3\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n                 activity, and the practice of restricting a user\xe2\x80\x99s access to data files\n                 and the levels of access (e.g., read, write, execute, delete) to the\n                 minimum amount necessary to perform his or her job. This latter\n                 practice is known as least privilege.\n\n                 Least Privilege Principle Not Followed\n\n                 The RPS security plan states that the least privilege principle\n                 should be followed in granting access rights to system users.\n                 However, this principle is not applied effectively in two ways: (1)\n                 many users have access to modules they do not use and (2) the\n                 amount of access that many users have (write access4) to\n                 inspection data exceeds the actual access needed to perform their\n                 job functions.\n\n                 As noted in the background, RPS contains 13 modules and users\n                 are granted read-only or read-and-write access to varying numbers\n                 of these modules based on the nature of their duties. Of the 13\n                 modules, 3 are used to track inspection schedules and results of\n                 the inspection program:\n\n                 \xc2\xbe The Inspection Planning module contains information on\n                   inspection schedules for NRC licensee sites, including reactor\n                   outages and visits by reactor inspectors.\n                 \xc2\xbe The Item Reporting module contains the results of all\n                   inspections performed at the sites, including information on\n                   safety issues and inspection followup items.\n                 \xc2\xbe The Reports module provides users with more than 100\n                   standard reports on RPS data including information in the\n                   Inspection Planning and Item Reporting modules.\n\n                 As of August 2004, 738 headquarters and regional employees were\n                 authorized read access to data in the Inspection Planning module,\n                 684 were authorized read access to data in the Item Reporting\n                 module, and 1,382 were authorized read access to data in the\n                 Reports module. Write access to the Item Reporting and\n                 Inspection Planning modules was more restricted; on average 178\n                 employees in each of NRC\xe2\x80\x99s 4 regional offices were authorized\n                 write access to the inspection data pertaining to their region in\n                 these modules.5\n\n\n\n\n4\n  Write access is the ability to enter and change system data.\n5\n  The Reports module does not offer a write-access option because this module uses existing data in the\nItem Reporting and Inspection Planning modules to create different reports.\n\n\n                                                    4\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n                 OIG further determined that most of the employees in each region\n                 with write access to inspection data contained in the Inspection\n                 Planning and Item Reporting modules do not require this access.\n                 Relatively few of these individuals actually enter RPS inspection\n                 data in the regions. In one region, 6 employees are responsible for\n                 entering all of the region\xe2\x80\x99s data into RPS, although 200 employees\n                 have the capability. All of these employees are based in the\n                 regional office. In another region, approximately 58 employees\n                 working at both reactor sites and in the region enter such data,\n                 while 144 employees have the capability to do so. Similarly, in the\n                 other two regions, more individuals have access rights to enter\n                 information in RPS than actually use this capability.\n\n                 OIG compared the number of employees authorized any type of\n                 access to 11 RPS modules6 with the number of employees who\n                 actually visited those modules during a 7\xc2\xbd-month period during\n                 2004. Many users with access to RPS modules used those\n                 modules rarely, if at all. Table 1 presents a comparison of users\n                 assigned access to each of the 11 RPS modules with the usage\n                 levels for that 7\xc2\xbd-month period.\n\n\n\n\n6\n  NRR could provide data concerning only 11 of the 13 modules that were functional during the fieldwork\nstage of this audit.\n\n\n                                                    5\n\x0c                                                Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nTable 1.\n\n  Comparison of RPS Users With Access to Each Module to Actual Number\n                      of Users, as of August 18, 2004\nModule             Number of           Actual Number of Percentage of\n                   Employees           Users, 1/1/04-   Users Who\n                   Authorized Access 8/18/04            Accessed Module\nInspection                738                 510             69.1\nPlanning\nItem Reporting            684                 451             65.9\nReports                  1,382                413             29.9\nInspection                726                 115             15.8\nProcedure\nAuthority System\nInspection                480                  14              2.9\nPlanning Cycle\nInspection Report          89                  42             47.2\nTracking System\nTime Resource             607                 453             74.6\nInventory\nManagement\nNRC Utilities              33                  18             54.6\nSecurity Access            39                  27             69.2\nMethod\nSafety Information         15                   5             33.3\nManagement\nSystem\nTables                     40                  31             77.5\n\n           As seen above, for five of the modules, less than half of the\n           authorized users visited the modules at any time during the 7\xc2\xbd\n           months. One module in particular had especially low use with only\n           2.9 percent of authorized users accessing the module during this\n           timeframe.\n\n           Access Not Sufficiently Restricted\n\n           Many regional employees who do not need write access to the\n           Inspection Planning and Item Reporting modules have it because\n           RPS offers them only one level of access (read-and-write).\n           Regional employees are granted read access to all inspection data\n           in RPS and write access to inspection data pertaining to their\n           specific region.\n\n\n\n\n                                    6\n\x0c                                              Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n      In addition, many employees have access to RPS modules they do\n      not use because they were not removed from the system after they\n      no longer required access. In headquarters, there is no established\n      process for offices to inform the RPS system administrator of the\n      need to terminate user access when an employee\xe2\x80\x99s job duties no\n      longer require access. In the regional offices, discretion for\n      removing access is left to the time and labor coordinator. As a\n      result, headquarters does not provide oversight to ensure that this\n      process occurs overall.\n\n      Failure to restrict access to RPS modules based on the least\n      privilege principle leads to an increased risk to the accuracy and\n      integrity of the system data. In addition, by not removing inactive\n      users, the system is not in compliance with the principle of least\n      privilege.\n\n      Recommendations\n\n      OIG recommends that the Executive Director for Operations:\n\n      1.   Implement a tiered access level structure that allows users\n           access to RPS modules based on the least privilege principle.\n           This should include guidance on which users may receive\n           what level of access.\n\n      2.   Implement a process for removing access rights from inactive\n           Reactor Program System users.\n\n\nB. INSPECTION DATA INACCURATE AND UNTIMELY\n\n      Some RPS inspection data is inaccurate and untimely because the\n      regions employ inconsistent quality control processes over RPS\n      data and because RPS data is never locked down to prevent\n      alterations to the data after it is entered in the system. Inaccurate\n      and untimely inspection results can negatively affect NRC\n      decisionmaking and public confidence. Although there are multiple\n      safety nets in place, including management expertise, to ensure\n      public health and safety, inaccurate inspection results could affect\n      the agency\xe2\x80\x99s ability to fulfill its mission of ensuring public health and\n      safety.\n\n\n\n\n                                  7\n\x0c                                                                    Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n                  Data Entry Policy\n\n                  NRC Inspection Manual, Chapter 0306, \xe2\x80\x9cInformation Technology\n                  Support for the Reactor Oversight Process,\xe2\x80\x9d provides policy and\n                  guidance on using NRC information management systems that\n                  support the reactor inspection program. It requires the timely and\n                  accurate entry of RPS data for all regional reactor inspection\n                  activities. Furthermore, upon completing an inspection and no later\n                  than 10 days after the exit meeting with the licensee, the branch\n                  chief (or designee) responsible for the inspection must update RPS\n                  with the inspection results.\n\n                  Inconsistent and Untimely Sample Data\n\n                  Despite the above cited requirements, data is not consistently\n                  accurate or entered into RPS within the 10-day deadline. OIG\n                  compared data from 32 inspection reports7 with data contained in\n                  the RPS Item Reporting module. The intent of this comparison was\n                  to determine (1) if the sample sizes reported in the inspection\n                  reports were consistent with the data reported in RPS and (2)\n                  whether the sample size data had been entered within the required\n                  timeframe.8 In total, OIG assessed the accuracy of 646 data items\n                  and found inconsistencies in 13.5 percent of the sample data.9\n                  Based on a statistical analysis of this information, as much as 23\n                  percent of the inspection data could be inconsistent between RPS\n                  and the inspection reports. In one case, the number of instances a\n                  procedure was conducted was overstated by more than 100\n                  percent in RPS. This analysis also identified that 32 percent of the\n                  data concerning sample size was entered into RPS outside the\n                  required time period. In one instance, data was entered into RPS\n                  378 days after the exit meeting with the licensee.\n\n                  Inconsistent Quality Control Process\n\n                  These data inaccuracies and timeliness issues occurred because\n                  the regions employ inconsistent quality control processes over RPS\n                  data and because RPS data is never locked down after it is\n                  entered, allowing it to be modified at any time by anyone with write\n                  access to the data.\n7\n  Auditors reviewed a total of 646 data items contained in 32 inspection reports. These reports reflected\nresults drawn from four commercial nuclear power plants in each of NRC\xe2\x80\x99s four regions\n8\n  Auditors did not attempt to compare data items in cases where sample size, as described in the inspection\nreport, was unclear.\n9\n RPS data was only compared to inspection report data for consistency. When discrepancies were found,\nno conclusions were drawn as to whether RPS or the inspection report contained the correct information.\n\n\n\n\n                                                      8\n\x0c                                       Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nAlthough NRC Inspection Manual, Chapter 0306 states that the\nbranch chief is responsible for quality control of RPS data, there is\nno consistent approach to quality control among the regions and\napproaches vary considerably in rigor and effectiveness. For\nexample, one regional branch chief will not transmit an inspection\nreport to the licensee until this individual has personally checked it\nagainst the data in RPS. In a different region, a branch chief relies\non regional quarterly reviews, which compare the inspection reports\nfrom that quarter against the data in RPS, to catch RPS data errors.\n\nFurthermore, the regions employ inconsistent approaches to\nentering information in RPS. At one extreme, a regional branch\nchief stated that to reduce the chances of error, a single staff\nposition \xe2\x80\x94 the senior project engineer \xe2\x80\x94 enters information into the\nsystem. This process is enforced throughout the region, which\nresults in only six people entering all inspection information into the\nsystem. In a different region, however, the particular inspector who\nled the inspection is responsible for entering information into RPS.\nThis example results in approximately 58 people entering\ninformation into the system.\n\nAnother factor that jeopardizes data accuracy is that RPS data is\nnever locked down and subsequently always remains editable.\nThis allows information previously verified as correct to be changed\nat any time. One branch chief stated there are occurrences where\ndata that had been verified as correct was later changed without\nthe branch chief\xe2\x80\x99s knowledge. This branch chief expressed a\ndesire to have the capability to lock down data to prevent such\noccurrences. The RPS administrator stated that RPS could be\ndesigned to allow data to be locked down.\n\nImpact on NRC Decisionmaking Process\n\nInaccurate and untimely inspection results can negatively affect\nNRC decisionmaking and public confidence. Although there are\nmultiple safety nets in place, including management expertise, to\nensure public health and safety, inaccurate inspection results could\naffect the agency\xe2\x80\x99s ability to fulfill its mission of ensuring public\nhealth and safety. NRC uses inspection information to ensure that\nlicensees are operating at acceptable safety levels. When this\ninformation contains errors or is untimely, it does not provide\nmanagers with an accurate picture of the NRC inspection program\nas to the safety levels at nuclear power plants. In addition,\ninspection information is provided to the public via the agency Web\nsite and inaccurate and untimely inspection results can erode\nconfidence in NRC information.\n\n\n\n                           9\n\x0c                                           Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n      Recommendations\n\n      OIG recommends that the Executive Director for Operations:\n\n      3.   Implement a uniform quality control and Reactor Program\n           System data entry review process that will ensure data\n           accuracy and timeliness.\n\n      4.   Develop a process to lock down Reactor Program System\n           inspection data fields after the inspection report has been\n           issued.\n\n\nC. RPS HELP (RPSHELP) IS INEFFICIENT\n\n      NRC requires all information technology system administrators to\n      provide their users with support using the system. RPS achieves\n      this through an e-mail account, referred to as RPSHELP.\n      RPSHELP is inefficient and not widely used because the service is\n      not well managed. Specifically, there is no formal process for\n      handling help requests and there are no performance metrics to\n      assess timeliness and user satisfaction. An inefficient help process\n      does not assure that users are receiving timely and adequate\n      responses to their questions.\n\n      Help Function\n\n      RPSHELP is an NRC e-mail account designed to allow RPS users\n      to convey concerns and questions regarding the system directly to\n      experts who can respond to matters quickly and accurately.\n      RPSHELP was created in 1997 to promote quick and efficient use\n      of the system by helping users better understand how to use the\n      system to meet their specific needs. NRC Inspection Manual\n      Chapter 0306 informs users that RPSHELP is available and should\n      be used to answer questions regarding use of the system.\n\n      No Assignment and Tracking Process\n\n      While users are directed to RPSHELP to better understand the\n      system, the response process is inefficient. There is no systematic\n      approach for assigning incoming queries to individuals for providing\n      the responses and there is no formal process for tracking\n      RPSHELP requests to completion and for user satisfaction.\n\n\n\n\n                                10\n\x0c                                     Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nWhen users submit questions via RPSHELP, three headquarters-\nbased employees who are knowledgeable about RPS are tasked\nwith responding to these queries. Subsequently, upon receipt of an\nRPSHELP request, one or more of the three responders may opt to\nrespond. According to one responder, there are occasions when\nmultiple responders will send an answer to one user who requested\nhelp. In other cases, help requests are overlooked until one of the\nresponders realizes that an answer has not been sent.\n\nIn addition, there is no formal tracking of RPSHELP requests to\ncompletion and for user satisfaction. The system administrator\nestimated that questions received via RPSHELP are typically\nanswered within a day or two, but said there is no formal process to\ntrack responses. In addition, there are no performance goals\nconcerning timeliness or effectiveness of RPSHELP responses.\n\nFormal Process Needed\n\nThe RPSHELP process is inefficient because it is not well\nmanaged. Managers have not instituted a process for determining\nwho is responsible for answering questions submitted to\nRPSHELP. Instead, they rely on an informal process that does not\nensure responses are disseminated. In addition, there is no formal\nprocess to determine if answers to help requests are returned in an\nadequate amount of time or if responses are useful.\n\nHaving an inefficient RPSHELP process does not assure that users\nare receiving timely and adequate responses. Without\nperformance goals and a tracking process to determine whether\nthese goals are met, management cannot assess the effectiveness\nor timeliness of the answers provided to RPS users.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n5.   Formalize a process for handling Reactor Program System\n     Help requests.\n\n6.   Create performance metrics to assess timeliness and user\n     satisfaction of Reactor Program System Help.\n\n\n\n\n                          11\n\x0c                                                              Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n        D. CONFIGURATION CONTROL PROCESS HAS NOT IDENTIFIED SOME\n        CONCERNS\n\n                NRC requires that management of information technology systems\n                include configuration control, a process for determining and\n                implementing changes to a system. RPS configuration control is\n                conducted during counterpart meetings. These meetings have\n                been ineffective in identifying some RPS limitations because\n                regional representatives:\n\n                \xc2\xbe Have not received formal guidance on gathering user concerns.\n                \xc2\xbe Have not conducted surveys of users on their needs.\n\n                By failing to raise these issues at counterpart meetings, regional\n                representatives prevent RPS from being further developed to meet\n                user needs and system objectives.\n\n                Configuration Control Requirements\n\n                Managers of all NRC systems are required to follow the System\n                Development and Life-Cycle Management (SDLCM) Methodology.\n                This methodology defines the life cycle of an information\n                technology system and describes the processes for developing,\n                enhancing, and maintaining these systems. SDLCM requires the\n                implementation of configuration control over information technology\n                systems. Configuration control is a process of evaluating,\n                approving or disapproving, and monitoring the implementation of\n                changes to a system. RPS configuration control is conducted\n                during counterpart meetings, where changes to the system are\n                discussed, and after the meetings, when NRC makes changes to\n                the system based on these discussions. In 1998, RPS managers\n                provided regional counterparts with guidance describing their\n                responsibilities. This guidance requires counterparts to:\n\n                \xc2\xbe Obtain input from users concerning problems and potential\n                  enhancements to RPS.\n                \xc2\xbe Raise regional concerns at counterpart meetings.\n                \xc2\xbe Work with other counterparts to reach consensus on needed\n                  enhancements to the system.\n\n                During the counterpart meetings, a representative from each region\n                meets with the system managers,10 who are also RPSHELP\n                responders, and other users based in headquarters to discuss\n                regional concerns with the system.\n10\n  RPS system managers are three NRR employees who are responsible for maintaining and updating the\nsystem.\n\n\n                                                12\n\x0c                                      Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n\nCounterpart Meetings Ineffective\n\nRPS counterpart meetings have been ineffective in bringing some\nRPS limitations to management attention. Two specific issues that\nusers in all four regions raised with OIG have never been\nmentioned at the counterpart meetings. These issues are:\n\n\xc2\xbe The scheduling feature in RPS is limited and does not contain\n  the level of detail desired by region-based reactor inspectors.\n\xc2\xbe RPS does not provide a tool for planning and tracking resident\n  inspector annual inspection schedules.\n\nRegion-based reactor inspectors travel to commercial nuclear\npower plants to conduct inspections in the areas of engineering,\nmaintenance, radiological controls, emergency preparedness,\nsecurity, and operator license requalification. They find the\nscheduling feature in RPS limiting, as it does not contain the\ndesired level of detail. The desired level includes the ability to\nschedule and view the inspection schedule for 18 months,\ndetermine if inspections are fully staffed, and assess whether\ninspections will overlap at the plants. Thus, instead of relying on\nRPS to meet all of their scheduling needs, users have created\nseparate scheduling tools that incorporate their needs.\n\nResident inspectors, who conduct inspections that account for a\nmajor part of the inspection program, have created tools to track\ntheir inspections because RPS does not have this capability.\nResident inspectors rely on these separate tracking tools to ensure\ninspection requirements are completed. For example, these tools\ntrack planned inspections throughout the year, inspectors\xe2\x80\x99 plans for\nimplementing inspection programs, and inspections that have been\ncompleted. Of the 47 RPS users interviewed, 34 used separate\ntools to track inspection information.\n\nRPS managers told OIG that they rely on counterpart\nrepresentatives to bring regional issues to management\xe2\x80\x99s attention.\nOne RPS manager stated that they were unaware of the issues\nmentioned above, but agreed that these concerns were important\nand could be addressed by RPS. In addition, many issues were\nbrought to an RPS manager\xe2\x80\x99s attention, during a recent regional\noffice visit, which had never been mentioned at prior counterpart\nmeetings. The manager said that many of these issues could and\nwould now be addressed in RPS.\n\n\n\n\n                           13\n\x0c                                      Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nSystem Limitations Not Recognized\n\nVarious concerns have not been raised at counterpart meetings for\nseveral reasons:\n\n\xc2\xbe Counterparts and users have failed to recognize certain issues\n  as problems.\n\xc2\xbe Counterparts have varying subjective perspectives on what\n  constitutes an issue that is appropriate for discussion at\n  counterpart meetings.\n\xc2\xbe Counterparts have ineffective methods of reaching out to users\n  to learn of their concerns.\n\nRegional counterparts and system users have not recognized the\nscheduling issues that have led to the creation of additional\nsystems as problems. Instead, they have accepted the system as\nis and viewed it as having limited scheduling capabilities.\nCounterparts and users have stated that the scheduling tool issues\nreflect an inherent system weakness. Subsequently, instead of\nbringing these issues to the counterpart meetings to see if the\nunderlying issues can be addressed, counterparts accept that users\nrely on workarounds, such as separate tracking tools.\n\nRPS regional counterparts rely on subjective criteria to determine\nwhat issues rise to the level of appropriateness for discussion at the\ncounterpart meetings. One regional counterpart uses the volume of\nuser requests to identify issues for discussion in counterpart\nmeetings, while another raises any issue if there is no quick\nworkaround to resolve it.\n\nIn addition, none of the regional counterparts proactively search for\nuser concerns or issues. Counterparts bring regional concerns to\nthe counterpart meetings based solely on their recollection of\nissues users have asked them about during the months preceding\nthe counterpart meeting.\n\nBy failing to raise certain concerns at meetings, counterparts\nprevent RPS from being further enhanced to meet user needs. As\nstated in the background section of this report, RPS was intended\nto reduce the number of locations in which inspection data is\nstored; however, the creation of separate tools does not allow RPS\nto meet this fundamental goal. In addition, separate tracking tools\ndo not allow NRR managers to have a complete view of the\ninspection program.\n\n\n\n\n                          14\n\x0c                                          Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n     Recommendations\n\n     OIG recommends that the Executive Director for Operations:\n\n     7.   Develop a formal process for Reactor Program System\n          regional counterparts to proactively gather user concerns prior\n          to counterpart meetings.\n\n     8.   Conduct an annual Reactor Program System user survey to\n          determine the needs of the users.\n\n\nE. TRAINING AND GUIDANCE NOT PROVIDED TO SYSTEM USERS\n\n     Inadequate training and outdated guidance have led to ineffective\n     use of RPS. This has occurred because managers did not deem\n     training and user guidance a priority. As a result, users are\n     unaware of system functionality and there is an increased\n     possibility of data error.\n\n     Training Requirements\n\n     SDLCM requires that training be provided to information system\n     users to allow them to learn a system and how it operates. In\n     addition, Office of Management and Budget Circular No. A-130\n     Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\n     Resources\xe2\x80\x9d, which establishes policy for the management of\n     Federal information resources, requires that users receive training\n     to ensure they understand their roles and responsibilities with a\n     system.\n\n     Formal Training and Updated Manuals Needed\n\n     RPS training has been inadequate to ensure that users have a\n     thorough understanding of the system. Moreover, written\n     instructions concerning how to use the system are outdated.\n\n     RPS users have not received formal training on the system since\n     initial training was provided to RPS users in 1998. Of 47 users\n     interviewed, 24 had never received training. More than 40 percent\n     of those interviewed stated that training would be helpful. Many\n     users stated that they learned how to use RPS solely from on-the-\n     job training. When users have questions on how the system works,\n     they said they ask a more experienced user.\n\n\n\n\n                               15\n\x0c                                      Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nFurthermore, the RPS user manuals containing information on how\nto enter information in the system and generate reports are\noutdated. The system has been updated multiple times, but the\nsystem manuals were not kept current with the changes.\nApproximately 45 percent of the 47 users interviewed said a quick\nreference guide to the system would be useful.\n\nUsers have not received training and the manuals have not been\nupdated because the system administrator has not deemed it a\npriority. RPS managers said they rely on regional counterparts to\nprovide training to users, but there has been no oversight to ensure\nthat such training has been provided. In addition, regional\ncounterparts have not expressed a need for training to the RPS\nadministrator.\n\nDue to a lack of formal training and updated manuals, users are not\nfully aware of RPS capabilities. This lack of understanding has led\nsome users to create separate tracking tools for functions that RPS\nalready performs. In addition, lack of training and outdated\nmanuals can lead to the dissemination of incorrect procedures and\nincorrect information being entered into the system.\n\nDuring the course of this audit, RPS managers began developing\nan online user tutorial on how to use main portions of the system.\nHowever, users will also need training and current guidance in the\ninterim before this tutorial is completed.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n9.   Implement a formal Reactor Program System training program\n     that includes periodic refresher training and classes tailored to\n     different user responsibilities.\n\n10. Complete the efforts to provide users with current system\n    information in the form of online tutorials.\n\nSummary\n\nWithout improvements to RPS, NRC decisionmakers cannot have a\ncomplete picture of the nuclear power plant inspection program. To\nsupport adequate protection of public health and safety, agency\ndecisonmakers need accurate information from RPS. At the time of\nthis audit, RPS contained information that was inaccurate and\nincomplete. Reliance on faulty data or data that has not been\n\n\n\n                          16\n\x0c                                    Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nlocked down could result in poor decisionmaking. Improvements in\nRPS will strengthen protection over data stored in the system and\nbetter ensure that the system meets its operational requirements.\nSpecifically, this will allow:\n\n\xc2\xbe RPS to be in compliance with system access control\n  requirements.\n\xc2\xbe Accurate and timely information to be used in decisionmaking\n  and when informing the public.\n\xc2\xbe The system help service to be more responsive to user needs.\n\xc2\xbe The system to meet the needs of the users.\n\xc2\xbe Users to better understand the system through training and\n  guidance.\n\n\n\n\n                         17\n\x0c                                              Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1. Implement a tiered access level structure that allows users\n           access to RPS modules based on the least privilege principle.\n           This should include guidance on which users may receive what\n           level of access.\n\n        2. Implement a process for removing access rights from inactive\n           Reactor Program System users.\n\n        3. Implement a uniform quality control and Reactor Program\n           System data entry review process that will ensure data accuracy\n           and timeliness.\n\n        4. Develop a process to lock down Reactor Program System\n           inspection data fields after the inspection report has been\n           issued.\n\n        5. Formalize a process for handling Reactor Program System Help\n           requests.\n\n        6. Create performance metrics to assess timeliness and user\n           satisfaction of Reactor Program System Help.\n\n        7. Develop a formal process for Reactor Program System regional\n           counterparts to proactively gather user concerns prior to\n           counterpart meetings.\n\n        8. Conduct an annual Reactor Program System user survey to\n           determine the needs of the users.\n\n        9. Implement a formal Reactor Program System training program\n           that includes periodic refresher training and classes tailored to\n           different user responsibilities.\n\n        10. Complete the efforts to provide users with current system\n            information in the form of online tutorials.\n\n\n\n\n                                  18\n\x0c                                             Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\nV. AGENCY COMMENTS\n\n       At an exit conference with agency senior executives held on\n       March 2, 2005, NRC officials generally agreed with the report\xe2\x80\x99s\n       findings and recommendations. Subsequent to that meeting, OIG\n       staff met with NRR staff to address specific issues and concerns\n       needing further clarification and/or explanation. On March 31,\n       2005, the Executive Director of Operations provided a formal\n       response to this report in which he agreed with the final version of\n       the report. Appendix B contains a copy of the agency\xe2\x80\x99s written\n       comments.\n\n\n\n\n                                 19\n\x0c                          Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              20\n\x0c                                                Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n                                                                         Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors reviewed RPS to determine if (1) the system provides for\n       the availability, confidentiality, and integrity of the data stored in the\n       system and (2) RPS meets its required operational capabilities.\n       This audit focused on RPS as an information technology system\n       with regard to the system modules that handle inspection planning\n       and results.\n\n       The OIG audit team reviewed relevant criteria, including\n       Management Directive 8.13, Reactor Oversight Process; NRC\n       Inspection Manual, Chapter 0306, \xe2\x80\x9cInformation Technology Support\n       for the Reactor Oversight Process\xe2\x80\x9d; and Office of Management and\n       Budget Circular No. A-130 Appendix III, \xe2\x80\x9cSecurity of Federal\n       Automated Information Resources\xe2\x80\x9d. The audit team also reviewed\n       the RPS Benefit-Cost Analysis and Security Plan.\n\n       Auditors interviewed NRR staff responsible for the RPS system to\n       understand the development and management of the system.\n       Auditors also interviewed RPS users in all four NRC regions,\n       including branch chiefs, senior project engineers, project engineers,\n       reactor inspectors, resident inspectors, and resident office\n       assistants to determine users interaction and satisfaction with the\n       system.\n\n       Auditors compared information from paper inspection reports to the\n       corresponding information in the Item Reporting module of RPS in\n       order to determine accuracy and timeliness of the data in RPS.\n       Auditors reviewed a total of 646 data items contained in 32\n       inspection reports. These reports reflected results drawn from four\n       commercial nuclear power plants in each of NRC\xe2\x80\x99s four regions.\n\n       This work was conducted from June 2004 through January 2005, in\n       accordance with generally accepted Government auditing\n       standards and included a review of management controls related to\n       audit objectives. The work was conducted by Beth Serepca, Team\n       Leader; David Ditto, Senior Management Analyst; and\n       Rebecca Underhill, Management Analyst.\n\n\n\n\n                                   21\n\x0c                          Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              22\n\x0c                              Audit of NRC\xe2\x80\x99s Reactor Program System\n\n\n                                                       Appendix B\nFORMAL AGENCY COMMENTS\n\n\n\n\n                         23\n\x0c"